TrueCrypt – WARNING of Flaw in Truecrypt Encryption – Boing Boing

The Sourceforge project page for Truecrypt now sports a cryptographically signed notice that Truecrypt should no longer be used as it is not secure. The news came on the heels of a crowdfunded $70K security audit of the open source, anonymously maintained software giving it a relatively positive initial diagnosis. The announcement — signed by the same key that has been used to sign previous, legitimate updates — links Truecrypt’s deprecation to Microsoft’s decision to cease supporting Windows XP, though no one seems to have a theory about how these two facts relate to one another.

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues. This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

Matthew Green, a Johns Hopkins University Information Security Institute crypto researcher, is the experts who led the fundraising in order to audit the Truecrypt source; in an interview with Brian Krebs, he says that he intends on continuing the work:

“There are a lot of things they could have done to make it easier for people to take over this code, including fixing the licensing situation,” Green said. “But maybe what they did today makes that impossible. They set the whole thing on fire, and now maybe nobody is going to trust it because they’ll think there’s some big evil vulnerability in the code.”

Green acknowledged feeling conflicted about today’s turn of events, and that he initially began the project thinking TrueCrypt was “really dangerous.”

“Today’s events notwithstanding, I was starting to have warm and fuzzy feelings about the code, thinking [the developers] were just nice guys who didn’t want their names out there,” Green said. “But now this decision makes me feel like they’re kind of unreliable. Also, I’m a little worried that the fact the we were doing an audit of the crypto might have made them decide to call it quits.”

Whether or not volunteer developers pick up and run with the TrueCrypt code to keep it going, Green said he’s committed to finishing what he started with the code audit, if for no other reason than he’s sitting on $30,000 raised for just that purpose.